Tree - source-git/krb5 - CentOS Git server

source-git / krb5

Blame src/tests/kdbtest.c

Blob History Raw

Packit	fd8b60	`/* -- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -- */`
Packit	fd8b60	`/* tests/kdbtest.c - test program to exercise KDB modules */`
Packit	fd8b60	`/*`
Packit	fd8b60	`* Copyright (C) 2012 by the Massachusetts Institute of Technology.`
Packit	fd8b60	`* All rights reserved.`
Packit	fd8b60	`*`
Packit	fd8b60	`* Redistribution and use in source and binary forms, with or without`
Packit	fd8b60	`* modification, are permitted provided that the following conditions`
Packit	fd8b60	`* are met:`
Packit	fd8b60	`*`
Packit	fd8b60	`* * Redistributions of source code must retain the above copyright`
Packit	fd8b60	`* notice, this list of conditions and the following disclaimer.`
Packit	fd8b60	`*`
Packit	fd8b60	`* * Redistributions in binary form must reproduce the above copyright`
Packit	fd8b60	`* notice, this list of conditions and the following disclaimer in`
Packit	fd8b60	`* the documentation and/or other materials provided with the`
Packit	fd8b60	`* distribution.`
Packit	fd8b60	`*`
Packit	fd8b60	`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS`
Packit	fd8b60	`* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT`
Packit	fd8b60	`* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS`
Packit	fd8b60	`* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE`
Packit	fd8b60	`* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,`
Packit	fd8b60	`* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES`
Packit	fd8b60	`* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
Packit	fd8b60	`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
Packit	fd8b60	`* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,`
Packit	fd8b60	`* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
Packit	fd8b60	`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED`
Packit	fd8b60	`* OF THE POSSIBILITY OF SUCH DAMAGE.`
Packit	fd8b60	`*/`
Packit	fd8b60
Packit	fd8b60	`/*`
Packit	fd8b60	`* This test program uses libkdb5 APIs to exercise as much of the LDAP and DB2`
Packit	fd8b60	`* back ends.`
Packit	fd8b60	`*/`
Packit	fd8b60
Packit	fd8b60	`#include <krb5.h>`
Packit	fd8b60	`#include <kadm5/admin.h>`
Packit	fd8b60	`#include <string.h>`
Packit	fd8b60
Packit	fd8b60	`static krb5_context ctx;`
Packit	fd8b60
Packit	fd8b60	`#define CHECK(code) check(code, __LINE__)`
Packit	fd8b60	`#define CHECK_COND(val) check_cond(val, __LINE__)`
Packit	fd8b60
Packit	fd8b60	`static void`
Packit	fd8b60	`check(krb5_error_code code, int lineno)`
Packit	fd8b60	`{`
Packit	fd8b60	`const char *errmsg;`
Packit	fd8b60
Packit	fd8b60	`if (code) {`
Packit	fd8b60	`errmsg = krb5_get_error_message(ctx, code);`
Packit	fd8b60	`fprintf(stderr, "Unexpected error at line %d: %s\n", lineno, errmsg);`
Packit	fd8b60	`krb5_free_error_message(ctx, errmsg);`
Packit	fd8b60	`exit(1);`
Packit	fd8b60	`}`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`static void`
Packit	fd8b60	`check_cond(int value, int lineno)`
Packit	fd8b60	`{`
Packit	fd8b60	`if (!value) {`
Packit	fd8b60	`fprintf(stderr, "Unexpected result at line %d\n", lineno);`
Packit	fd8b60	`exit(1);`
Packit	fd8b60	`}`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`static krb5_data princ_data[2] = {`
Packit	fd8b60	`{ KV5M_DATA, 6, "xy*(z)" },`
Packit	fd8b60	`{ KV5M_DATA, 12, "+<> *()\\#\",;" }`
Packit	fd8b60	`};`
Packit	fd8b60
Packit	fd8b60	`static krb5_principal_data sample_princ = {`
Packit	fd8b60	`KV5M_PRINCIPAL,`
Packit	fd8b60	`{ KV5M_DATA, 11, "KRBTEST.COM" },`
Packit	fd8b60	`princ_data, 2, KRB5_NT_UNKNOWN`
Packit	fd8b60	`};`
Packit	fd8b60
Packit	fd8b60	`static krb5_principal_data xrealm_princ = {`
Packit	fd8b60	`KV5M_PRINCIPAL,`
Packit	fd8b60	`{ KV5M_DATA, 12, "KRBTEST2.COM" },`
Packit	fd8b60	`princ_data, 2, KRB5_NT_UNKNOWN`
Packit	fd8b60	`};`
Packit	fd8b60
Packit	fd8b60	`#define U(x) (unsigned char *)x`
Packit	fd8b60
Packit	fd8b60	`/*`
Packit	fd8b60	`* tl1 through tl4 are normalized to attributes in the LDAP back end. tl5 is`
Packit	fd8b60	`* stored as untranslated tl-data. tl3 contains an encoded osa_princ_ent with`
Packit	fd8b60	`* a policy reference to "<test*>".`
Packit	fd8b60	`*/`
Packit	fd8b60	`static krb5_tl_data tl5 = { NULL, KRB5_TL_MKVNO, 2, U("\0\1") };`
Packit	fd8b60	`static krb5_tl_data tl4 = { &tl5, KRB5_TL_LAST_ADMIN_UNLOCK, 4,`
Packit	fd8b60	`U("\6\0\0\0") };`
Packit	fd8b60	`static krb5_tl_data tl3 = { &tl4, KRB5_TL_KADM_DATA, 32,`
Packit	fd8b60	`U("\x12\x34\x5C\x01\x00\x00\x00\x08"`
Packit	fd8b60	`"\x3C\x74\x65\x73\x74\x2A\x3E\x00"`
Packit	fd8b60	`"\x00\x00\x08\x00\x00\x00\x00\x00"`
Packit	fd8b60	`"\x00\x00\x00\x00\x00\x00\x00\x00") };`
Packit	fd8b60	`static krb5_tl_data tl2 = { &tl3, KRB5_TL_MOD_PRINC, 8, U("\5\6\7\0x@Y\0") };`
Packit	fd8b60	`static krb5_tl_data tl1 = { &tl2, KRB5_TL_LAST_PWD_CHANGE, 4, U("\1\2\3\4") };`
Packit	fd8b60
Packit	fd8b60	`/* An encoded osa_print_enc with no policy reference. */`
Packit	fd8b60	`static krb5_tl_data tl_no_policy = { NULL, KRB5_TL_KADM_DATA, 24,`
Packit	fd8b60	`U("\x12\x34\x5C\x01\x00\x00\x00\x00"`
Packit	fd8b60	`"\x00\x00\x00\x00\x00\x00\x00\x00"`
Packit	fd8b60	`"\x00\x00\x00\x02\x00\x00\x00\x00") };`
Packit	fd8b60
Packit	fd8b60	`static krb5_key_data keys[] = {`
Packit	fd8b60	`{`
Packit	fd8b60	`2, /* key_data_ver */`
Packit	fd8b60	`2, /* key_data_kvno */`
Packit	fd8b60	`{ ENCTYPE_AES256_CTS_HMAC_SHA1_96, KRB5_KDB_SALTTYPE_SPECIAL },`
Packit	fd8b60	`{ 32, 7 },`
Packit	fd8b60	`{ U("\x17\xF2\x75\xF2\x95\x4F\x2E\xD1"`
Packit	fd8b60	`"\xF9\x0C\x37\x7B\xA7\xF4\xD6\xA3"`
Packit	fd8b60	`"\x69\xAA\x01\x36\xE0\xBF\x0C\x92"`
Packit	fd8b60	`"\x7A\xD6\x13\x3C\x69\x37\x59\xA9"),`
Packit	fd8b60	`U("expsalt") }`
Packit	fd8b60	`},`
Packit	fd8b60	`{`
Packit	fd8b60	`2, /* key_data_ver */`
Packit	fd8b60	`2, /* key_data_kvno */`
Packit	fd8b60	`{ ENCTYPE_AES128_CTS_HMAC_SHA1_96, 0 },`
Packit	fd8b60	`{ 16, 0 },`
Packit	fd8b60	`{ U("\xDC\xEE\xB7\x0B\x3D\xE7\x65\x62"`
Packit	fd8b60	`"\xE6\x89\x22\x6C\x76\x42\x91\x48"),`
Packit	fd8b60	`NULL }`
Packit	fd8b60	`}`
Packit	fd8b60	`};`
Packit	fd8b60	`#undef U`
Packit	fd8b60
Packit	fd8b60	`static char polname[] = "<test*>";`
Packit	fd8b60
Packit	fd8b60	`static krb5_db_entry sample_entry = {`
Packit	fd8b60	`0,`
Packit	fd8b60	`KRB5_KDB_V1_BASE_LENGTH,`
Packit	fd8b60	`/* mask */`
Packit	fd8b60	`KADM5_PRINCIPAL \| KADM5_PRINC_EXPIRE_TIME \| KADM5_PW_EXPIRATION \|`
Packit	fd8b60	`KADM5_ATTRIBUTES \| KADM5_MAX_LIFE \| KADM5_POLICY \| KADM5_MAX_RLIFE \|`
Packit	fd8b60	`KADM5_LAST_SUCCESS \| KADM5_LAST_FAILED \| KADM5_FAIL_AUTH_COUNT \|`
Packit	fd8b60	`KADM5_KEY_DATA \| KADM5_TL_DATA,`
Packit	fd8b60	`/* attributes */`
Packit	fd8b60	`KRB5_KDB_REQUIRES_PRE_AUTH \| KRB5_KDB_REQUIRES_HW_AUTH \|`
Packit	fd8b60	`KRB5_KDB_DISALLOW_SVR,`
Packit	fd8b60	`1234, /* max_life */`
Packit	fd8b60	`5678, /* max_renewable_life */`
Packit	fd8b60	`9012, /* expiration */`
Packit	fd8b60	`3456, /* pw_expiration */`
Packit	fd8b60	`1, /* last_success */`
Packit	fd8b60	`5, /* last_failed */`
Packit	fd8b60	`2, /* fail_auth_count */`
Packit	fd8b60	`5, /* n_tl_data */`
Packit	fd8b60	`2, /* n_key_data */`
Packit	fd8b60	`0, NULL, /* e_length, e_data */`
Packit	fd8b60	`&sample_princ,`
Packit	fd8b60	`&tl1,`
Packit	fd8b60	`keys`
Packit	fd8b60	`};`
Packit	fd8b60
Packit	fd8b60	`static osa_policy_ent_rec sample_policy = {`
Packit	fd8b60	`0, /* version */`
Packit	fd8b60	`polname, /* name */`
Packit	fd8b60	`1357, /* pw_min_life */`
Packit	fd8b60	`100, /* pw_max_life */`
Packit	fd8b60	`6, /* pw_min_length */`
Packit	fd8b60	`2, /* pw_min_classes */`
Packit	fd8b60	`3, /* pw_history_num */`
Packit	fd8b60	`0, /* policy_refcnt */`
Packit	fd8b60	`2, /* pw_max_fail */`
Packit	fd8b60	`60, /* pw_failcnt_interval */`
Packit	fd8b60	`120, /* pw_lockout_duration */`
Packit	fd8b60	`0, /* attributes */`
Packit	fd8b60	`2468, /* max_life */`
Packit	fd8b60	`3579, /* max_renewable_life */`
Packit	fd8b60	`"aes", /* allowed_keysalts */`
Packit	fd8b60	`0, NULL /* n_tl_data, tl_data */`
Packit	fd8b60	`};`
Packit	fd8b60
Packit	fd8b60	`/* Compare pol against sample_policy. */`
Packit	fd8b60	`static void`
Packit	fd8b60	`check_policy(osa_policy_ent_t pol)`
Packit	fd8b60	`{`
Packit	fd8b60	`CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);`
Packit	fd8b60	`CHECK_COND(pol->pw_min_life == sample_policy.pw_min_life);`
Packit	fd8b60	`CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);`
Packit	fd8b60	`CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length);`
Packit	fd8b60	`CHECK_COND(pol->pw_min_classes == sample_policy.pw_min_classes);`
Packit	fd8b60	`CHECK_COND(pol->pw_history_num == sample_policy.pw_history_num);`
Packit	fd8b60	`CHECK_COND(pol->pw_max_life == sample_policy.pw_max_life);`
Packit	fd8b60	`CHECK_COND(pol->pw_failcnt_interval == sample_policy.pw_failcnt_interval);`
Packit	fd8b60	`CHECK_COND(pol->pw_lockout_duration == sample_policy.pw_lockout_duration);`
Packit	fd8b60	`CHECK_COND(pol->attributes == sample_policy.attributes);`
Packit	fd8b60	`CHECK_COND(pol->max_life == sample_policy.max_life);`
Packit	fd8b60	`CHECK_COND(pol->max_renewable_life == sample_policy.max_renewable_life);`
Packit	fd8b60	`CHECK_COND(strcmp(pol->allowed_keysalts,`
Packit	fd8b60	`sample_policy.allowed_keysalts) == 0);`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`/* Compare ent against sample_entry. */`
Packit	fd8b60	`static void`
Packit	fd8b60	`check_entry(krb5_db_entry *ent)`
Packit	fd8b60	`{`
Packit	fd8b60	`krb5_int16 i, j;`
Packit	fd8b60	`krb5_key_data k1, k2;`
Packit	fd8b60	`krb5_tl_data *tl, etl;`
Packit	fd8b60
Packit	fd8b60	`CHECK_COND(ent->attributes == sample_entry.attributes);`
Packit	fd8b60	`CHECK_COND(ent->max_life == sample_entry.max_life);`
Packit	fd8b60	`CHECK_COND(ent->max_renewable_life == sample_entry.max_renewable_life);`
Packit	fd8b60	`CHECK_COND(ent->expiration == sample_entry.expiration);`
Packit	fd8b60	`CHECK_COND(ent->pw_expiration == sample_entry.pw_expiration);`
Packit	fd8b60	`CHECK_COND(ent->last_success == sample_entry.last_success);`
Packit	fd8b60	`CHECK_COND(ent->last_failed == sample_entry.last_failed);`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == sample_entry.fail_auth_count);`
Packit	fd8b60	`CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));`
Packit	fd8b60	`CHECK_COND(ent->n_key_data == sample_entry.n_key_data);`
Packit	fd8b60	`for (i = 0; i < ent->n_key_data; i++) {`
Packit	fd8b60	`k1 = &ent->key_data[i];`
Packit	fd8b60	`k2 = &sample_entry.key_data[i];`
Packit	fd8b60	`CHECK_COND(k1->key_data_ver == k2->key_data_ver);`
Packit	fd8b60	`CHECK_COND(k1->key_data_kvno == k2->key_data_kvno);`
Packit	fd8b60	`for (j = 0; j < k1->key_data_ver; j++) {`
Packit	fd8b60	`CHECK_COND(k1->key_data_type[j] == k2->key_data_type[j]);`
Packit	fd8b60	`CHECK_COND(k1->key_data_length[j] == k2->key_data_length[j]);`
Packit	fd8b60	`CHECK_COND(memcmp(k1->key_data_contents[j],`
Packit	fd8b60	`k2->key_data_contents[j],`
Packit	fd8b60	`k1->key_data_length[j]) == 0);`
Packit	fd8b60	`}`
Packit	fd8b60	`}`
Packit	fd8b60	`for (tl = sample_entry.tl_data; tl != NULL; tl = tl->tl_data_next) {`
Packit	fd8b60	`etl.tl_data_type = tl->tl_data_type;`
Packit	fd8b60	`CHECK(krb5_dbe_lookup_tl_data(ctx, ent, &etl));`
Packit	fd8b60	`CHECK_COND(tl->tl_data_length == etl.tl_data_length);`
Packit	fd8b60	`CHECK_COND(memcmp(tl->tl_data_contents, etl.tl_data_contents,`
Packit	fd8b60	`tl->tl_data_length) == 0);`
Packit	fd8b60	`}`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`/* Audit a successful or failed preauth attempt for entp. Then reload entp`
Packit	fd8b60	`* (by fetching sample_princ) so we can see the effect. */`
Packit	fd8b60	`static void`
Packit	fd8b60	`sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp)`
Packit	fd8b60	`{`
Packit	fd8b60	`/* Both back ends ignore the request, local_addr, and remote_addr`
Packit	fd8b60	`* parameters for now. */`
Packit	fd8b60	`krb5_db_audit_as_req(ctx, NULL, NULL, NULL, entp, entp, authtime,`
Packit	fd8b60	`ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED);`
Packit	fd8b60	`krb5_db_free_principal(ctx, *entp);`
Packit	fd8b60	`CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp));`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`static krb5_error_code`
Packit	fd8b60	`iter_princ_handler(void data, krb5_db_entry ent)`
Packit	fd8b60	`{`
Packit	fd8b60	`int *count = data;`
Packit	fd8b60
Packit	fd8b60	`CHECK_COND(krb5_principal_compare(ctx, ent->princ, sample_entry.princ));`
Packit	fd8b60	`(*count)++;`
Packit	fd8b60	`return 0;`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`static void`
Packit	fd8b60	`iter_pol_handler(void *data, osa_policy_ent_t pol)`
Packit	fd8b60	`{`
Packit	fd8b60	`int *count = data;`
Packit	fd8b60
Packit	fd8b60	`CHECK_COND(strcmp(pol->name, sample_policy.name) == 0);`
Packit	fd8b60	`(*count)++;`
Packit	fd8b60	`}`
Packit	fd8b60
Packit	fd8b60	`int`
Packit	fd8b60	`main()`
Packit	fd8b60	`{`
Packit	fd8b60	`krb5_db_entry *ent;`
Packit	fd8b60	`osa_policy_ent_t pol;`
Packit	fd8b60	`krb5_pa_data **e_data;`
Packit	fd8b60	`const char *status;`
Packit	fd8b60	`int count;`
Packit	fd8b60
Packit	fd8b60	`CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));`
Packit	fd8b60
Packit	fd8b60	`/* If we can, revert to requiring all entries match sample_princ in`
Packit	fd8b60	`* iter_princ_handler */`
Packit	fd8b60	`CHECK_COND(krb5_db_inited(ctx) != 0);`
Packit	fd8b60	`CHECK(krb5_db_create(ctx, NULL));`
Packit	fd8b60	`CHECK(krb5_db_inited(ctx));`
Packit	fd8b60	`CHECK(krb5_db_fini(ctx));`
Packit	fd8b60	`CHECK_COND(krb5_db_inited(ctx) != 0);`
Packit	fd8b60
Packit	fd8b60	`CHECK_COND(krb5_db_inited(ctx) != 0);`
Packit	fd8b60	`CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW \| KRB5_KDB_SRV_TYPE_ADMIN));`
Packit	fd8b60	`CHECK(krb5_db_inited(ctx));`
Packit	fd8b60
Packit	fd8b60	`/* Manipulate a policy, leaving it in place at the end. */`
Packit	fd8b60	`CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);`
Packit	fd8b60	`CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);`
Packit	fd8b60	`CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);`
Packit	fd8b60	`CHECK(krb5_db_create_policy(ctx, &sample_policy));`
Packit	fd8b60	`CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);`
Packit	fd8b60	`CHECK(krb5_db_get_policy(ctx, polname, &pol));`
Packit	fd8b60	`check_policy(pol);`
Packit	fd8b60	`pol->pw_min_length--;`
Packit	fd8b60	`CHECK(krb5_db_put_policy(ctx, pol));`
Packit	fd8b60	`krb5_db_free_policy(ctx, pol);`
Packit	fd8b60	`CHECK(krb5_db_get_policy(ctx, polname, &pol));`
Packit	fd8b60	`CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);`
Packit	fd8b60	`krb5_db_free_policy(ctx, pol);`
Packit	fd8b60	`CHECK(krb5_db_delete_policy(ctx, polname));`
Packit	fd8b60	`CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);`
Packit	fd8b60	`CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);`
Packit	fd8b60	`CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);`
Packit	fd8b60	`CHECK(krb5_db_create_policy(ctx, &sample_policy));`
Packit	fd8b60	`count = 0;`
Packit	fd8b60	`CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));`
Packit	fd8b60	`CHECK_COND(count == 1);`
Packit	fd8b60
Packit	fd8b60	`/* Create a principal. */`
Packit	fd8b60	`CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==`
Packit	fd8b60	`KRB5_KDB_NOENTRY);`
Packit	fd8b60	`CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==`
Packit	fd8b60	`KRB5_KDB_NOENTRY);`
Packit	fd8b60	`CHECK(krb5_db_put_principal(ctx, &sample_entry));`
Packit	fd8b60	`/* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)`
Packit	fd8b60	`* but succeed with DB2, so don't check the result. */`
Packit	fd8b60	`(void)krb5_db_put_principal(ctx, &sample_entry);`
Packit	fd8b60	`/* But it should succeed in both back ends with KADM5_LOAD in mask. */`
Packit	fd8b60	`sample_entry.mask \|= KADM5_LOAD;`
Packit	fd8b60	`CHECK(krb5_db_put_principal(ctx, &sample_entry));`
Packit	fd8b60	`sample_entry.mask &= ~KADM5_LOAD;`
Packit	fd8b60	`/* Fetch and compare the added principal. */`
Packit	fd8b60	`CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));`
Packit	fd8b60	`check_entry(ent);`
Packit	fd8b60
Packit	fd8b60	`/* We can't set up a successful allowed-to-delegate check through existing`
Packit	fd8b60	`* APIs yet, but we can make a failed check. */`
Packit	fd8b60	`CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,`
Packit	fd8b60	`&sample_princ) != 0);`
Packit	fd8b60
Packit	fd8b60	`/* Exercise lockout code. */`
Packit	fd8b60	`/* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */`
Packit	fd8b60	`/* Initial state: last_success 1, last_failed 5, fail_auth_count 2,`
Packit	fd8b60	`* last admin unlock 6 */`
Packit	fd8b60	`/* Check succeeds due to last admin unlock. */`
Packit	fd8b60	`CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));`
Packit	fd8b60	`/* Failure count resets to 1 due to last admin unlock. */`
Packit	fd8b60	`sim_preauth(8, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);`
Packit	fd8b60	`/* Failure count resets to 1 due to failcnt_interval */`
Packit	fd8b60	`sim_preauth(70, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);`
Packit	fd8b60	`/* Failure count resets to 0 due to successful preauth. */`
Packit	fd8b60	`sim_preauth(75, TRUE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);`
Packit	fd8b60	`/* Failure count increments to 2 and stops incrementing. */`
Packit	fd8b60	`sim_preauth(80, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);`
Packit	fd8b60	`sim_preauth(100, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);`
Packit	fd8b60	`sim_preauth(110, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);`
Packit	fd8b60	`/* Check fails due to reaching maximum failure count. */`
Packit	fd8b60	`CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,`
Packit	fd8b60	`&e_data) == KRB5KDC_ERR_CLIENT_REVOKED);`
Packit	fd8b60	`/* Check succeeds after lockout_duration has passed. */`
Packit	fd8b60	`CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));`
Packit	fd8b60	`/* Failure count resets to 1 on next failure. */`
Packit	fd8b60	`sim_preauth(240, FALSE, &ent;;`
Packit	fd8b60	`CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);`
Packit	fd8b60
Packit	fd8b60	`/* Exercise LDAP code to clear a policy reference and to set the key`
Packit	fd8b60	`* data on an existing principal. */`
Packit	fd8b60	`CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));`
Packit	fd8b60	`ent->mask = KADM5_POLICY_CLR \| KADM5_KEY_DATA;`
Packit	fd8b60	`CHECK(krb5_db_put_principal(ctx, ent));`
Packit	fd8b60	`CHECK(krb5_db_delete_policy(ctx, polname));`
Packit	fd8b60
Packit	fd8b60	`/* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as`
Packit	fd8b60	`* from a load operation. */`
Packit	fd8b60	`ent->mask = (sample_entry.mask & ~KADM5_POLICY) \| KADM5_LOAD;`
Packit	fd8b60	`CHECK(krb5_db_put_principal(ctx, ent));`
Packit	fd8b60
Packit	fd8b60	`/* Exercise LDAP code to create a new principal at a DN from`
Packit	fd8b60	`* KDB_TL_USER_INFO tl-data. */`
Packit	fd8b60	`CHECK(krb5_db_delete_principal(ctx, &sample_princ));`
Packit	fd8b60	`CHECK(krb5_db_put_principal(ctx, ent));`
Packit	fd8b60	`krb5_db_free_principal(ctx, ent);`
Packit	fd8b60
Packit	fd8b60	`/* Exercise principal iteration code. */`
Packit	fd8b60	`count = 0;`
Packit	fd8b60	`CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count, 0));`
Packit	fd8b60	`CHECK_COND(count == 1);`
Packit	fd8b60
Packit	fd8b60	`CHECK(krb5_db_fini(ctx));`
Packit	fd8b60	`CHECK_COND(krb5_db_inited(ctx) != 0);`
Packit	fd8b60
Packit	fd8b60	`/* It might be nice to exercise krb5_db_destroy here, but the LDAP module`
Packit	fd8b60	`* doesn't support it. */`
Packit	fd8b60
Packit	fd8b60	`krb5_free_context(ctx);`
Packit	fd8b60	`return 0;`
Packit	fd8b60	`}`

source-git / krb5

Source Code

Blame src/tests/kdbtest.c